Business Continuity Planning (BCP) has its roots from experiences in recovering from disasters. Technology companies in the 1970s created the first plans for technical infrastructure in data centres; the aftermath of the 9/11 attacks saw a much wider appreciation and adoption of sophisticated processes and systems. And now, in 2019, we have a striking example of a country, Estonia, where BCP is critical not just for businesses but for every citizen and national security.
A Long History and a Fast Leap Forward
The history of Estonia traces back to 8500 BC. In more recent times, Estonia regained Independence from Soviet Union in 1991. Since then, in just 1 generation, Estonia has become the poster child of the digital economy. Every service from national ID, birth / death registers, taxes, voting, banking and health are digital. However, the most striking of all is the e-residency program by which non-Estonians can acquire a Digital ID, access public services, open a company etc. WITHOUT physically visiting Estonia.
Inevitably, this attracted several levels of cyber-attacks and resulted in productivity and financial losses. One of the positive developments was to bring the concept of Business Continuity Planning (BCP) for the entire country into the public debate.
Without a top-class BCP, the country could grind to a halt in no time.
Digital Security is as important as National Security
As a long-term security and defense policy, Estonia has been a member of NATO since 2004. However, it was the innovative setting up of a “Data Embassy” that highlighted the importance of Digital Security for Estonia. Based on an agreement between Estonia and Luxembourg, a Tier 4 Level certified data centre in Luxembourg. hosts all the data relevant for the continuity of the Estonian state.
The Data Embassy is a Sovereign Embassy and is covered under the Vienna Convention!
This is not only for data backup, but also for operating critical services. As with physical Estonian embassies world-wide, the servers are also considered sovereign embassies! That provides immunity and access rights. It is an elegant solution for Estonia, converging physical and the digital security, in a friendly Luxembourg.
Is this level of BCP adequate?
As it happened, recently in a North Korean embassy in Madrid these data centres could be physically vandalised and will need significant perimeter security. More insidiously, data in public databases could be manipulated. The adoption and use of blockchain based time-stamping helps in establishing the trust for all end-users – citizens and e-residents.
Way forward for countries and businesses
- Data Localisation mandates that data be physically be present within the borders of the country. Countries like India and Singapore have divergent views on the right implementation model and the Estonian experience is perhaps a good hybrid.
- Newer Escrow data services business models will evolve, to hold sensitive data including patents, recipes, financial and customer data.
- Businesses will find smaller countries more attractive to base their operations; not because of tax incentives but because of a superior and safer digital economy.